diff for duplicates of <1494623376.4997.28.camel@linux.vnet.ibm.com> diff --git a/a/1.txt b/N1/1.txt index 74ba0f4..fd392f4 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -1,6 +1,6 @@ On Thu, 2017-05-11 at 10:16 +0200, Christoph Hellwig wrote: > On Wed, May 10, 2017 at 05:00:47PM -0400, Mimi Zohar wrote: -> > Without i_version support the file is measured/appraised once. ?With +> > Without i_version support the file is measured/appraised once. With > > i_version support it will be re-measured/appraised. As a file system > > is mounted/remounted, some sort of message should be emitted > > indicating whether i_version is supported. @@ -10,17 +10,17 @@ On Thu, 2017-05-11 at 10:16 +0200, Christoph Hellwig wrote: Yes, I defined a new LSM hook to catch the new mounts, but there are lots of mounts, even after to limiting it to non-kernel mounts (MS_KERNMOUNT) and only checking if the MS_I_VERSION is set on -filesystems mounted read-write. ?It would be nice if there was a way +filesystems mounted read-write. It would be nice if there was a way of saying not pseudo filesystems (eg. CGROUP_SUPER_MAGIC, DEBUGFS_MAGIC, DEVPTS_SUPER_MAGIC, PROC_SUPER_MAGIC, SECURITYFS_MAGIC, SYSFS_MAGIC, etc). > -> > ?That does not imply that +> > That does not imply that > > there is no value in measuring/appraising the file only once. > > > > With this patch, the "opt-in" behavior, is only for measurement, not -> > appraisal. ?For appraisal, it still enforces file hash/signature +> > appraisal. For appraisal, it still enforces file hash/signature > > verification, as it should, based on policy. > > > > Christoph, could we call ->read_iter() in the NULL case as Boaz @@ -35,15 +35,10 @@ SYSFS_MAGIC, etc). In addition to the ones you've already defined, we need definitions in ramfs/file-mmu.c and file-nommu.c, and the corresponding tmpfs, to get the initial measurements from the initramfs. -? -We know that stacked filesystems have similar locking problems. ?I'm + +We know that stacked filesystems have similar locking problems. I'm loop back mounting each filesystem and testing to see if files are -being measured/re-measured properly. ?I haven't finished yet, but +being measured/re-measured properly. I haven't finished yet, but there haven't been any problems so far. Mimi - --- -To unsubscribe from this list: send the line "unsubscribe linux-security-module" in -the body of a message to majordomo at vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/a/content_digest b/N1/content_digest index d13ff6c..45099c6 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -4,15 +4,20 @@ "ref\020170510132359.GA22549@lst.de\0" "ref\01494450047.3006.28.camel@linux.vnet.ibm.com\0" "ref\020170511081659.GA20214@lst.de\0" - "From\0zohar@linux.vnet.ibm.com (Mimi Zohar)\0" - "Subject\0[PATCH] security/ima: use fs method to read integrity data\0" + "From\0Mimi Zohar <zohar@linux.vnet.ibm.com>\0" + "Subject\0Re: [PATCH] security/ima: use fs method to read integrity data\0" "Date\0Fri, 12 May 2017 17:09:36 -0400\0" - "To\0linux-security-module@vger.kernel.org\0" + "To\0Christoph Hellwig <hch@lst.de>\0" + "Cc\0Boaz Harrosh <boaz@plexistor.com>" + Al Viro <viro@zeniv.linux.org.uk> + linux-fsdevel@vger.kernel.org + linux-ima-devel@lists.sourceforge.net + " linux-security-module@vger.kernel.org\0" "\00:1\0" "b\0" "On Thu, 2017-05-11 at 10:16 +0200, Christoph Hellwig wrote:\n" "> On Wed, May 10, 2017 at 05:00:47PM -0400, Mimi Zohar wrote:\n" - "> > Without i_version support the file is measured/appraised once. ?With\n" + "> > Without i_version support the file is measured/appraised once. \302\240With\n" "> > i_version support it will be re-measured/appraised. As a file system\n" "> > is mounted/remounted, some sort of message should be emitted\n" "> > indicating whether i_version is supported.\n" @@ -22,17 +27,17 @@ "Yes, I defined a new LSM hook to catch the new mounts, but there are\n" "lots of mounts, even after to limiting it to non-kernel mounts\n" "(MS_KERNMOUNT) and only checking if the MS_I_VERSION is set on\n" - "filesystems mounted read-write. ?It would be nice if there was a way\n" + "filesystems mounted read-write. \302\240It would be nice if there was a way\n" "of saying not pseudo filesystems (eg. CGROUP_SUPER_MAGIC,\n" "DEBUGFS_MAGIC, DEVPTS_SUPER_MAGIC, PROC_SUPER_MAGIC, SECURITYFS_MAGIC,\n" "SYSFS_MAGIC, etc).\n" "\n" "> \n" - "> > ?That does not imply that\n" + "> > \302\240That does not imply that\n" "> > there is no value in measuring/appraising the file only once.\n" "> > \n" "> > With this patch, the \"opt-in\" behavior, is only for measurement, not\n" - "> > appraisal. ?For appraisal, it still enforces file hash/signature\n" + "> > appraisal. \302\240For appraisal, it still enforces file hash/signature\n" "> > verification, as it should, based on policy.\n" "> > \n" "> > Christoph, could we call ->read_iter() in the NULL case as Boaz\n" @@ -47,17 +52,12 @@ "In addition to the ones you've already defined, we need definitions in\n" "ramfs/file-mmu.c and file-nommu.c, and the corresponding tmpfs, to get\n" "the initial measurements from the initramfs.\n" - "?\n" - "We know that stacked filesystems have similar locking problems. ?I'm\n" + "\302\240\n" + "We know that stacked filesystems have similar locking problems. \302\240I'm\n" "loop back mounting each filesystem and testing to see if files are\n" - "being measured/re-measured properly. ?I haven't finished yet, but\n" + "being measured/re-measured properly. \302\240I haven't finished yet, but\n" "there haven't been any problems so far.\n" "\n" - "Mimi\n" - "\n" - "--\n" - "To unsubscribe from this list: send the line \"unsubscribe linux-security-module\" in\n" - "the body of a message to majordomo at vger.kernel.org\n" - More majordomo info at http://vger.kernel.org/majordomo-info.html + Mimi -0eaefc401ba4f6f17d85d4996ad99095fae82bb04eeb36f9990f750e02eadb8e +768f5d5a64dc891a0aa4ea8170be2f6584683e320e2faeb7eded11f2eb795906
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.